minor adjustments

elk/README.md

@@ -15,7 +15,7 @@ Different lists to work with the Elastic Stack without using sigma rules by http
 7. Select "Indicator Match"
 ![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/7f13d07c-bf3a-4f07-b415-44ff1bd62ba1)
 
-8. NOTICE! Provided screenshot is only a example (documentation) https://www.elastic.co/guide/en/security/7.17/rules-ui-create.html#indicator-value-lists **change values as shown below (number 9-14)
+8. NOTICE! Provided screenshot is only a example (documentation) https://www.elastic.co/guide/en/security/7.17/rules-ui-create.html#indicator-value-lists **change values as shown below (number 9-14)**
 ![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/a8daaa41-44ee-434b-803a-8263ad1370cd)
 
 9. **Source:** Choose your index for where you have your windows logs
@@ -35,7 +35,29 @@ Different lists to work with the Elastic Stack without using sigma rules by http
 
 You can do the same with th_keywords_processnames_elk.txt and the other files **as long as the field type is text**
 Upload it and follow the same steps, at number 12 change the list_id to th_keywords_processnames_elk.txt
-Then change the indicator mapping field to process.name instead.
+Then change the indicator mapping field to process.name instead (field type must be text).
 
 
 
+**Reference list**
+rmm_domain_names_elk.txt is a custom list from 
+https://github.com/jischell-msft/RemoteManagementMonitoringTools/blob/main/Network%20Indicators/RMM_SummaryNetworkURI.csv
+
+**Files**
+
+*Observere that the field types you want to match words on must be a text field type.*
+
+creds_catcher.txt, use on process.command_line AND powershell scriptblock to catch bad password usage
+
+rmm_domain_names_elk.txt, use on events where you have domain names to catch suspicious activity to RMM domains
+
+suspicious_named_pipe_elk.txt, use on events with named pipes.
+
+suspicious_windows_services_names_elk.txt, use on events with service names.
+
+th_keywords_elk.txt, use on process.command_line AND powershell scriptblock to catch malicious activity
+
+th_keywords_processnames_elk.txt, use on events where you have process.names OR parent.process.names
+
+user_agent_elk.txt, use on events where you have user_agent fields to catch malicious activity
+

elk/th_keywords_processnames_elk.txt

@@ -10,7 +10,7 @@ adconnectdump.exe
 adcskiller.exe
 adcspwn.exe
 adexplorer.exe
-adexplorersnapshot.py.exe
+adexplorersnapshot.exe
 adfind.exe
 adfspoof.exe
 adfspray.exe
@@ -162,22 +162,6 @@ cut.exe
 cytool.exe
 damp.exe
 daphne.exe
-ftype.exe
-sharptoken.exe
-t14m4t.exe
-ssrfmap.exe
-undertheradar.exe
-cloakify.exe
-pywsus.exe
-dnsdumpster.exe
-hcxdumptool.exe
-beelogger.exe
-proxyshell.exe
-arpspoofing.exe
-phoenix.exe
-miner.exe
-afrog.exe
-pyexec.exe
 darkarmour.exe
 darkloadlibrary.exe
 darkwidow.exe
@@ -393,76 +377,6 @@ injectify.exe
 injectproc.exe
 insecurepowershell.exe
 inspectassembly.exe
-exrop.exe
-webdavc2.exe
-touch.exe
-vrealizeloginsightrce.exe
-xerror.exe
-w3af.exe
-dsdbutil.exe
-privfu.exe
-merlin.exe
-nimexec.exe
-swampthing.exe
-p0wny.exe
-credphisher.exe
-tokenvator.exe
-pplkiller.exe
-fakecmdline.exe
-eqgrp.exe
-tools.exe
-attifyos.exe
-sudosnatch.exe
-githubc2.exe
-lyncsmash.exe
-osmedeus.exe
-striker.exe
-owasp.exe
-sniffair.exe
-schedulerunner.exe
-abandonedcomkeys.exe
-krbjack.exe
-obfy.exe
-sqlmap.exe
-rasmanpotato.exe
-lapsdumper.exe
-h8mail.exe
-impacket.exe
-targetedkerberoast.exe
-hping.exe
-sharpunhooker.exe
-silentmoonwalk.exe
-smuggler.exe
-group3r.exe
-adcspwn.exe
-scriptsentry.exe
-archerysec.exe
-inveigh.exe
-pingcastle.exe
-fcrackzip.exe
-pastebin.exe
-webbrowserpassview.exe
-finduncommonshares.exe
-nimcrypt2.exe
-powerforensics.exe
-srdi.exe
-tetanus.exe
-sqlninja.exe
-donpapi.exe
-mars.exe
-stealer.exe
-sshlooterc.exe
-deathstar.exe
-prt.exe
-dumpcreds.exe
-apt.exe
-pecloak.exe
-boinc.exe
-ratchatpt.exe
-delegationbof.exe
-maliciousmacromsbuild.exe
-atlasc2.exe
-atomldr.exe
 interactsh.exe
 intercepter.exe
 intruderpayloads.exe
@@ -536,6 +450,7 @@ macchanger.exe
 macetrap.exe
 macrome.exe
 macrometer.exe
+mail.exe
 mailpv.exe
 mailsniper.exe
 maliciousmacrogenerator.exe
@@ -555,8 +470,8 @@ metatwin.exe
 metetool.exe
 mhydeath.exe
 microburst.exe
-mimikatz.exe
 mimi.exe
+mimikatz.exe
 mimikittenz.exe
 mimipenguin.exe
 miner.exe
@@ -575,20 +490,6 @@ mortar.exe
 mousejack.exe
 movfuscator.exe
 msbuildshell.exe
-unhookingpatch.exe
-cobaltstrike.exe
-nc.exe
-pipeviewer.exe
-spring4shell.exe
-vscode.exe
-sharpcollection.exe
-routerscan.exe
-aclpwn.exe
-junctionfolder.exe
-winshellcode.exe
-gmsapasswordreader.exe
-nuages.exe
-gmsadumper.exe
 msdat.exe
 msfpc.exe
 msfvenom.exe
@@ -775,17 +676,6 @@ ratchatgpt.exe
 ratchatpt.exe
 rdpassspray.exe
 rdpcredentialstealer.exe
-bulletpassview.exe
-inspectassembly.exe
-linuxprivchecker.exe
-bypassclm.exe
-modlishka.exe
-ruby.exe
-wdextract.exe
-brutesploit.exe
-s3scanner.exe
-cme.exe
-autotimeliner.exe
 rdpinception.exe
 rdpscraper.exe
 rdpspray.exe
@@ -999,6 +889,7 @@ threadlessinject.exe
 threatcheck.exe
 thunderdns.exe
 thundershell.exe
+tiamat.exe
 timeroast.exe
 tmpdavfs.exe
 tmpwatch.exe
@@ -1052,9 +943,11 @@ wbadmin.exe
 wce.exe
 wcmdump.exe
 wdextract.exe
+weaf.exe
 weakpass.exe
 webbrowserpassview.exe
 webdav.exe
+webdavc.exe
 weevely.exe
 wepwnise.exe
 wertrigger.exe
@@ -1096,4 +989,4 @@ xxeinjector.exe
 yodo.exe
 zarp.exe
 zerologon.exe
-zloader.exe
+zloader.exe